But as private sector lobbyists oppose new security requirements, the wheels of Congress and regulation move slowly, largely by pushing for best practices that hospitals can and do choose to ignore. We are promoting.
So are relatively unknown electronic payment providers like UnitedHealth Group's Change Healthcare. The company was the target of an attack last month launched by hackers affiliated with the ransomware gang ALPHV that severed a critical link between healthcare providers and patients' insurance companies in the worst healthcare sector. Hacks have been reported so far. Change Healthcare announced Monday that it has provided $2 billion in advance payments to pharmacies, hospitals and other health care providers who were unable to receive insurance reimbursement due to network outages.
Critics say the Change Healthcare debacle, which damaged patient care at nearly three-quarters of U.S. hospitals, shows defense efforts are woefully inadequate. A complete response, they say, would include strict security requirements for the most critical parts of the sprawling system, followed by less stringent but still sufficient rules for large hospital systems. It is said that it will continue. The smallest providers, who may not have security personnel, should receive support, as called for in the government's budget proposals.
“We need to make sure we know where these vulnerabilities are,” Nitin Natarajan, deputy director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, acknowledged in an interview. “We're looking at what levers are there.”
Some members of Congress say it should have happened already.
“The government needs to prevent this type of devastating hack from happening over and over again,” Sen. Ron Wyden (D-Ore.) told The Washington Post. “I look forward to working with the Biden administration to implement mandatory and specific cybersecurity rules as soon as possible to ensure CEO accountability.”
Vice President for National Security Ann Neuberger said the White House was considering what laws could be used to impose such standards on a reluctant industry, while asking executives to informed that they are expected to comply with the voluntary guidelines immediately.
“The Hill hasn't passed legislation requiring agencies to have minimum standards, so we're leveraging industry emergency authorities and rulemaking,” Neuberger told the Post on Monday.
He said there will soon be some requirements for health care providers that accept Medicare and Medicaid.
Last year, the healthcare industry was the most targeted target of any of the 16 critical infrastructure sectors that reported ransomware attacks to the FBI Internet Crime Complaint Center, according to an annual summary released this month.
Experts said industry resistance to security mandates is only part of the problem.
Greg Garcia, executive director of the Healthcare Industry Cybersecurity Group and a former assistant secretary of Homeland Security, said hospitals fall prey to “high money.” “If the choice is, “If I pay the ransom, my life will be saved, but if I don't pay the ransom, I will lose my life, or if it's a small system, I risk going out of business.'' In a sense, hackers would be confused. Probably not.”
Asked why he wasn't more prepared, Natarajan said part of the reason was the “complexity of the field.”
A single health service involves countless participants, including doctors, hospitals, insurance companies, pharmaceutical companies, pharmacies, and platforms like Change Healthcare, all connected electronically. As such, each product, with its unique technology and priorities, is a potential gateway to the entire medical world.
So if a hacker infiltrates your provider, encrypts your health or billing records, and demands money to unlock them, they can also infiltrate adjacent targets.
More than half of all health care attacks are carried out through third parties, said Garcia, whose organization is called the Health Sector Coordinating Council Cybersecurity Task Force.
The complexity is further compounded by the existence of separate regulators in many parts of the healthcare economy, some of which propose different security guidelines or none at all. Masu. The Department of Health and Human Services, the largest authority, enforces rules to protect sensitive health data and is investigating the Change Healthcare breach. HHS did not respond to a request for comment.
Last year, CISA named healthcare one of its top technology security priorities, along with water, public schools, and voting systems. The agency offers free vulnerability assessments and training, and in the past year has helped warn nearly 100 healthcare providers that their systems were under attack before it was too late. I did.
One of the key questions is whether hackers will pay a ransom to unlock the system once they have taken control of it.
“We strongly discourage paying ransoms to stop the flow of funds to criminals and deter attacks,” the White House said in a statement.
However, many cyber insurance companies offer to pay claims if data backups are not available.
If your health care provider doesn't pay, the consequences can be dire. Change Healthcare's parent company, United Healthcare Group, has not denied reports that it withstood two weeks before transferring $22 million to Russian-speaking ransomware group ALPHV.
In this case, most of the harm was done not only to other organizations that relied on Change Healthcare, but also to patients who found themselves unable to obtain life-saving drugs without paying the same amount as the uninsured. is.
According to a May article in JAMA, the journal of the American Medical Association, significant collateral damage also occurred after a major attack on the Scripps Hospital network in San Diego in 2021. According to reports at the time, Scripps did not pay the ransom. The study found that the time lost to patients being transferred to other emergency rooms more than doubled in the first few days after an attack.
Inside Scripps, critical equipment, including electronic patient records, became inoperable, doctors told The Washington Post. Some young doctors, who had never used paper charts before, simply went home.
“If the patient remembered, we had to hope that he would tell us what medicines he was taking and what surgeries he had,” the doctor said. “I'm sure we made a mistake.”
Some security industry veterans, who had experienced a rash of data breaches in the healthcare industry before the coronavirus outbreak, foresaw the ensuing surge in ransomware and launched an initiative to help in March 2020. A group of volunteers was formed. They were called the Cyber Threat Intelligence League and scanned the hospital's network. Look for vulnerabilities from afar and alert facilities at risk.
Members also advised hospitals that had already been attacked and were in dire straits.
“Personally, I have no doubt that lives were lost,” said CTI League co-founder Mark Rogers. “We know that talking to a hospital in the wee hours of the morning can cost lives if the hospital has no way to access the patient's medical records or use more sophisticated systems. Masu.”
In many cases, Rogers recalled, hospitals were reluctant to accept advice from strangers, even if CISA or the FBI provided assurances. Smaller hospitals often lacked connections with industry nonprofit security information sharing groups. Through trial and error, the league has found that the best way to communicate tips and fixes is often through equipment and software vendors with whom they already have facilities and technical contacts.
The league's biggest success has been discovering critical software flaws at hospitals several times, confirming that ransomware hackers are exploiting the same flaws elsewhere, and allowing hackers to get inside systems before they can break in. He explained the situation to the hospital in time to catch him. I encrypted them. CISA is currently taking the same approach.
Rogers, a former security executive at Internet security company Cloudflare, said greater collaboration and improved guidelines from federal agencies are only part of the solution. The fact remains that many hospitals are small nonprofit organizations with no one to set up even minimal controls over online access, such as multi-factor authentication rather than just passwords.
“None of this takes into account the lack of funding to do something like this,” Rogers said. “These hospitals are still under-resourced. If you go to a rural hospital, they would be happy to have cybersecurity expertise.”
He added that the government's approach so far has meant “we're giving them a list of things to do, but we're not giving them the means to do it.”
